CVE-2025-3579: Code Injection Vulnerability in AiDex

9.3 CVSS

Description

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system (Unix) commands, interacting with internal services such as PHP or MySQL, and even invoking native functions of the framework used, such as Laravel or Symfony. This execution is achieved by Prompt Injection attacks through the /api//message endpoint, manipulating the content of the ‘content’ parameter.

Classification

CVE ID: CVE-2025-3579

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Affected Products

Vendor: AiDex

Product: AiDex

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.11% (scored less or equal to compared to others)

EPSS Date: 2025-04-16 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3579
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-aidex

Timeline

2025-04-15 09:40:12 UTC
CVE

Code Injection Vulnerability in AiDex